ãã®æ»æã®è©³çŽ°ãèŠããŠãããŠãã ããã ç§ã¯ãæ»æã®æ¬è³ªã¯ãŠãŒã¶ãŒã®èªèšŒããŒã¿ãæäœãããããå¥ã®ãªãœãŒã¹ã«ãªãã€ã¬ã¯ãã§ããããšã ããæãåºããŸãã
ãã®ãããªãªãã€ã¬ã¯ãã«ãããèªèšŒãš3çªç®ã®ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãå¯èœã«ãªããéåžžããã®åŸã®èµ·åã§ãã¡ã€ã«ãããŠã³ããŒããããŸãã
ãªã¬ãŒãéçºããããã»ã¹ã¯é·ãéè¡ãããŠããŸããã ãããŠåœç¶ã®ããšãªãããããã§æ¹åããããšæããããã®ã¯ãã¹ãŠãæ確ã§ç解ãããããã®ã§ãã
1幎ã»ã©åã®Intercepterã§ã¯ãNTLMv2ããªãã€ã¬ã¯ãã§ããŸããã 3ãæåŸãMetasploitã«åæ§ã®æ©èœãç»å Žããå人ã®æ奜家ãææãé åžãå§ããŸããã ãããè«ççãªéçã§ãã SMBRelayèªäœã¯ã»ãšãã©äœ¿çšãããŸããããã®ç¹ã§ãä»ã®ãããã³ã«ãç¹ã«HTTPãä»ããŠNTLMãªã¬ãŒãå®è£ ããæ¹ãã¯ããã«äŸ¿å©ã§ãã ããã«ããã¡ã€ã³ãããã¯ãŒã¯ã§ã®SMBRelayã®å¯¿åœã¯ããç¡æµãã®Kerberosã«ãã£ãŠè€éã«ãªããŸããããã¯ãSMBRelayã®æ²»çæ³ãšãåŒã°ããŸãã ç§ã®ç 究ã§ã¯ããã®ç¥è©±ãç Žå£ããSMBãããã³ã«ãæ»æãããŸã£ããæ°ããã¢ãããŒãã玹ä»ããããšæããŸãã
ããã¯å®å šã«SMBRelayã§ã¯ãªãããšã«æ³šæãã䟡å€ããããŸãããã®SMBãã€ãžã£ãã¯æè¡ãšåŒã³ãŸãããã
é ãããå§ããŸããã...
WPAD MiTMã«çµã¿èŸŒãŸããNTLM-Responseã°ã©ããŒã¯ãã€ã³ã¿ãŒã»ãã¿ãŒã®æ°ããããŒãžã§ã³ã«ç»å ŽããŸããã
䜿ããããããããã«ããã¹ã¯ãŒãã空ã軜ããããã°ãã確èªããããã«ãã€ã³ã¿ãŒã»ãããããããã·ã¥ã䜿çšããŠãžã§ã³ã»ã¶ã»ãªãããŒãåŒã³åºãããšãã§ããããã«ããããšã決å®ãããŸããã ãã®åŸãã¹ããã¡ãŒãã€ã³ã¿ãŒã»ããããJTRãä»ããŠãã«ãŒããã©ãŒã¹ã«ãªãå¯èœæ§ããããã¹ãŠã®ããã·ã¥ã¯ãé©åãªåœ¢åŒã«å€æãããŸããã
Wiresharkã®ãµã³ãã«ã®ã¢ãŒã«ã€ãã«ã¯ãKerberosèªèšŒã䜿çšãããã°ããããããããCainã¯ããã·ã¥ãæœåºãããã«ãŒããã©ãŒã¹ã¡ãœããã䜿çšããŠãã¹ã¯ãŒããèŠã€ããããšãã§ããŸããã
ãã«ãŒããã©ãŒã¹ã¯ãAS-REQèŠæ±ã§ããŠãŒã¶ãŒãã¹ã¯ãŒãã«ãã£ãŠæå·åãããã¿ã€ã ã¹ã¿ã³ããèªèšŒãµãŒããŒã«éä¿¡ããããã®äžéšãäºåã«ç¥ãããŠãããšããäºå®ã«ããå¯èœã§ãã KerberosèªèšŒãã³ãã©ãŒãè¿œå ãããã©ã€ããã¡ã€ã³ã³ã³ãããŒã©ãŒã§ãã¹ããããŸããïŒWindows 2008 R2ïŒã é©ããããšã«ãããã·ã¥ã¯ååãããŸããã§ããã åé¡ã¯ãWindows 2008ã§ã¯æ°ããæå·åã¢ã«ãŽãªãºã ãè¿œå ããã以å䜿çšããŠããrc4-hmacã®ä»£ããã«ãaes256-cts-hmac-sha1-96ãããã©ã«ãã§äœ¿çšãããããã«ãªã£ãããšã§ãã ãã®ããã·ã¥ã¯ãrc4-hmacãšåãæ¹æ³ã§ããã±ãŒãžããåãåºãããŸãããå¥ã®åé¡ãçºçããŸããã
çŸæç¹ã§ã¯ãaesã«ãã£ãŠæå·åãããã¿ã€ã ã¹ã¿ã³ããããã¹ã¯ãŒããå埩ã§ããç·åœããæ»æã¯ãããŸããã ãžã§ã³ã®ã¡ãŒãªã³ã°ãªã¹ãã§ãããå人ãJTRã®ããããäœæããŸããããã¬ãã¥ãŒããå€æãããšããŸã 湿ã£ãŠããŠãæãéèŠãªããã»ã¹ã¯rc4ãœãŒããããæ°çŸåé ããœãŒãã§ãã
ãã®ãããã€ã³ã¿ãŒã»ãã¿ãŒã«ã¯ãæå·åã¢ã«ãŽãªãºã ãaesããrc4ã«ããŠã³ã°ã¬ãŒããããªãã·ã§ã³ããããŸããã æ®å¿µãªãããVista desããã¯ãæå·åãç¡å¹ã«ãªããrc4ãæå°éã«æãããããããããã«äœãããŠã³ã°ã¬ãŒãããçç±ã¯ãããŸããã§ããã

ããŠã³ã°ã¬ãŒãã¯ã被害è ã®çºä¿¡ãã±ããã®å¯èœãªã¡ãœãããåã«çœ®ãæããããšã«ãã£ãŠè¡ãããŸãã
Kerberosãžã®é¢å¿ãé«ãŸã£ãã®ã¯ããã§ãã è³æã®ç 究ã¯ãKerberosãã±ããã®ãªãã¬ã€æ»æã®çè«çãªå¯èœæ§ãããããšã瀺ããŸããããå®éã®äŸãšå®è£ ã¯èŠã€ãããŸããã§ããã
ãã©ãã£ãã¯ãèããŠåæããŠãããšãã«ããŸã£ããå¥åŠãªè³ªåãçºçããŸããïŒãªãäœããåé 眮ããå¿ èŠãããã®ã§ããïŒïŒ ã©ãããŠïŒ
SMBã»ãã·ã§ã³ãšã¯äœã§ããïŒ
1. Host_Aã¯Host_Bã«æ¥ç¶ããŸã
2.ã»ãã·ã§ã³ãããã³ã«ãéžæããŸã
3.èªèšŒæ¹æ³ãéžæãããŸã
4.ã³ãã³ãã»ãã...
å¿ èŠãªãªãœãŒã¹ã§å®å šã«èš±å¯ãããŠããå Žåããªãç ç²è ã®ç ç²è ãäžç¶ããã®ã§ããïŒïŒ
äžéã«ç«ã£ãŠæ¥ç¶ããããã·ããHost_AãHost_Bã«ãã°ã€ã³ãããŸã§åŸ ã£ãŠãããã»ãã·ã§ã³ãå¶åŸ¡ããå¿ èŠããããŸãã
ãã§ã«æ¿èªãããŠãããSMBã»ãã·ã§ã³ã«ã³ãŒããåã蟌ãããšãã§ããŸãã ã¯ã©ã€ã¢ã³ããNTLMã§ããããšKerberosã§ããããšãã¯ã©ã€ã¢ã³ããã©ã®ããã«æ¿èªããããã«ã¯ãŸã£ããé¢å¿ããããŸããïŒ
ã»ãã·ã§ã³èªäœã¯æå·åãããŠããããéåžžã®ã¯ã©ã€ã¢ã³ãã§ã®SMB眲åã¯99ïŒ ã®ã±ãŒã¹ã§äœ¿çšãããŠããŸããã
ããå€ãã®æ©èœã«å ããŠããã®ææ³ã¯SMBRelayãããã¯ããã«æŽç·ŽãããŠãããSMBæ¿èªã®èªå·±ããã»ã¹ãå®è£ ããå¿ èŠããªããªããŸããã
ãã¡ã€ã«ãããŠã³ããŒãããŠèµ·åãå®è¡ã§ããæå°éã®ã³ãã³ãã»ãããå®è£ ããã ãã§ååã§ãã
ãã®æ©èœã¯ãã¹ãŠãIntercepter-NGã®æ°ããããŒãžã§ã³ã«å«ãŸããŠãããWindows 2008ããã³Windows 7/8ã®ææ°ããŒãžã§ã³ã§å®éã®ç¶æ ã§ãã¹ããããŠããŸãã
ãã®æ»æã®å®è£ ã®é£ãããšç¹åŸŽã¯äœã§ããã
Vistaãããæ°ããSMB2ãããã³ã«ã䜿çšãããããã«ãªããŸããã å€ãããŒãžã§ã³ãšã®äž»ãªéãã¯ãã³ãã³ãã»ããã®ç°¡çŽ åãšããã©ãŒãã³ã¹ã®åäžã§ãã
2ã€ã®ã«ãŒã«ãéµå®ããããšãéèŠã§ãã ãŸããåSMBã»ãã·ã§ã³ã«ã¯ç¬èªã®ã»ãã·ã§ã³IDãããã次ã«ãSMB2ããããŒã«ã³ãã³ãã·ãŒã±ã³ã¹çªå·ãã£ãŒã«ãããããŸãã
ã€ãŸã ããŒã ã®ã·ãªã¢ã«çªå·ã ã³ãã³ããå®è£ ããã«ã¯ãã»ãã·ã§ã³èå¥åãæå®ããã³ãã³ãã«ãŠã³ã¿ãŒãã€ã³ã¯ãªã¡ã³ãããå¿ èŠããããŸãã
ãªããªã Intercepterã§ã¯ãæ¢åã®SMBRelayã¯å€ãSMB圢åŒã䜿çšããä»ã®èª°ãã®ã³ãŒãã«åºã¥ããŠãããæŸèæã圫å»ãããSMB2ã³ãã³ãã®ã¡ã€ã³ã»ãããæåããå®è£ ããªãããšã«ããŸããã
ã»ãã·ã§ã³ãå°å ¥ããããã®ããžãã¯ã¯æ¬¡ã®ãšããã§ãã
1.æ»æãåãããã¹ããš3çªç®ã®ãã¹ãã®äžéã«ç«ã€
2.è¯å®çãªå¿çã䌎ãSessionSetup Responseã³ãã³ããåŸ ã¡ãŸã
3.ã»ãã·ã§ã³IDãšçŸåšã®ããŒã çªå·ãååŸãã
4.ãã¡ã€ã«ã管ççšããŒã«ã«ã³ããŒããŸãïŒadmin $ïŒ
5.ãã¡ã€ã«ãèµ·åãããµãŒãã¹ãäœæããŸã
6.ãµãŒãã¹ãéå§ããŸã
7. cmd.exe
5çªç®ãš6çªç®ã®ãã€ã³ãã¯ãMicrosoftãSMBçµç±ã§RPCèŠæ±ã転éã§ããããã«ã®ã¿å¯èœã§ãã

ããã ãã§ãã ãã®ææ³ã¯ãå¹³åçãªãã¡ã€ã³ã§ããŸãæ©èœããŸãã å€ãã®å Žåã管çã¢ã¯ã»ã¹æš©ãæã€ã¢ã«ãŠã³ãã§SMBãä»ããŠã¯ã©ã€ã¢ã³ãã³ã³ãã¥ãŒã¿ãŒã§ããã€ãã®æäœãèªåçã«å®è¡ãããœãããŠã§ã¢ããããŸãã ãŸãã¯ãçŽæ¥ã管çè ãæ»æã®æšçã«ãªãå¯èœæ§ããããŸãã
Kerberosã¯ç§ãã¡ã«ãšã£ãŠéªéã§ã¯ãããŸããã ãšããã§ãSMBã®Kerberosã¯ãã³ã³ãã¥ãŒã¿ãŒãååã§ã¢ã¯ã»ã¹ãããå Žåã«ã®ã¿äœ¿çšãããIPçµç±ã§ããŒã«ã«ã¢ã¯ã»ã¹ããå Žåã¯ãNTLMã®ã¿ã䜿çšãããŸãã ãã¡ã€ã³ã¯ã©ã€ã¢ã³ããæ»æããå Žåãæ»æè ã¯ãã¡ã€ã³ã®ã¡ã³ããŒã§ããå¿ èŠã¯ãããŸããã
èŠä»¶ãæºããããŠããã°ãéåžžã®ã¯ãŒã¯ã°ã«ãŒãã§SMBãã€ãžã£ãã¯ã䜿çšã§ããŸãã管çè ã¯ç®¡çã¢ã¯ã»ã¹æš©ãæã¡ãIPC $ \ ADMIN $管çãªãœãŒã¹ãå©çšå¯èœã§ãã
Intercepterã¯ãSMBã»ãã·ã§ã³ã®ããã·ãã€ã³ã¿ãŒã»ããã«å ããŠãæ»æè ã®Webãã©ãã£ãã¯ã«SMBãªãœãŒã¹ãžã®ãªã³ã¯ãæ¿å ¥ããŸããããã«ãããã¢ã¯ã»ã¹ãååŸããããã»ã¹ãå€§å¹ ã«é«éåãããŸãã
ãã¡ã€ã«ã®ããŠã³ããŒããæåããå ŽåããŸãã¯ã¢ã¯ã»ã¹ã§ããªãå Žåãæ¥ç¶ãçµäºããå¿ èŠããããŸãã æ»æãããã»ãã·ã§ã³ã¯ãã§ã«éåãããŠããŸãïŒã³ãã³ãã«ãŠã³ã¿ãŒãããã¯ããŠã³ãããŠããŸãïŒã ååããã»ã¹ãã«ãŒããããªãããã«
èŠæ±ããããªãœãŒã¹ã«å°éã§ããããã«ããŠãIntercepterã¯æ»æãããŒã¯ããæ»æãåéããããŸã§ãããŒã«å¹²æžããªããªããŸãã ããã«ãããçãããªããªãã誀åäœããªããªããŸãã
以äžã®SMBãã€ãžã£ãã¯ã®ãã¢ãããªã
KerberosããŠã³ã°ã¬ãŒããšSMBãã€ãžã£ãã¯ã«å ããŠãIntercepterã®æ°ããããŒãžã§ã³ã§ã¯æ¬¡ã®å€æŽãçºçããŸããã
MiTMã®çµ±åãããWPADãããã·ãµãŒããŒã¯NTLM-Responseã°ã©ããŒãçµ±åããŸãã çµæã®ããã·ã¥ãåæã§ããŸãã
ã€ã³ã¿ãŒã»ãããããããã·ã¥ã®æ°ã«ã€ããŠã¯ãããã°ã©ã ãããã«ãŒããã©ãŒã¹ãçŽæ¥èµ·åã§ããŸãããã®ããã«ã¯ããŸãJTRïŒãžã£ã³ãããããå«ãïŒãããŠã³ããŒãããIntercepterã§ãã©ã«ããŒã«é 眮ããå¿ èŠããããŸãã
ã¹ããŒãã¹ãã£ã³ã§ã¯ãæ°ããOSãã£ã³ã¬ãŒããªã³ãæ¹æ³ãè¿œå ãããããæ£ç¢ºãªçµæãåŸãããŸãã
SYNããŒãã¹ãã£ããŒãDHCP MiTMã®ãã¯ã€ããªã¹ãMACã¢ãã¬ã¹ãIDNïŒåœå ãã¡ã€ã³åïŒã®ãµããŒããããã³ãã®ä»ã®å€ãã®æ¹åãšä¿®æ£ããããŸããã
SMBãã€ãžã£ãã¯ã¯ããã©ã«ãã§äœ¿çšãããŸããå€ãSMBRelayãå®è¡ããå¿ èŠãããå Žåã¯ããšãã¹ããŒãã¢ãŒãã§å¯Ÿå¿ããDawãåãæ¿ããå¿ èŠããããŸãã
ãã©ãŒã©ã ãŸãã¯ã¡ãŒã«ã§è³ªåã§ããŸãã
æäŸãããæ å ±ã¯ãæ å ±æäŸã®ã¿ãç®çãšããŠããŸãã èè ã¯ããã®èšäºã®è³æã«ãã£ãŠåŒãèµ·ããããå¯èœæ§ã®ããæ害ã«ã€ããŠè²¬ä»»ãè² ããŸããã